@PeteTrombone opened this Issue on November 2nd 2020

The optout function in an iframe no longer works on iOS / MacOS if the Matomo domain is different to the page domain.
The following message is displayed:
"The tracking opt-out feature requires cookies to be enabled."

This is a big data protection problem in europe!

@Findus23 commented on November 2nd 2020 Member


That's the issue with blocking third-party-cookies (or more precisely from blocking iFrames in a website from setting a cookie on another domain). It is great for privacy (if every website was allowed to read and write cookies from tracking.example, people could be tracked easily between domains).
But it also means that if you are tracking yourwebsite.example with matomo.example and are embedding the iFrame, you are stopping it from setting the opt-out cookie on matomo.example as this is also a third-party domain.

Now one solution is setting the opt-out cookie on the domain of the tracked website, but this is nothing the iFrame can do (as it only has access to the matomo.example domain) and is what is done when using this guide: https://developer.matomo.org/guides/tracking-javascript-guide#optional-creating-a-custom-opt-out-form

But this also means that you can not opt-out of tracking on matomo.example for all sites that are tracked there, but just for the one you are currently one.

I don't really have a solution as any method that allows to store the user consent status/opt-in/opt-out also allows to store tracking data about this user and will be therefore (rightfully) limited by browsers and browser extensions.

If you (or anyone else) have an idea on what could be done here, it would be great.

@tsteur commented on November 2nd 2020 Member

BTW if the privacy page includes the Matomo tracker and points to the same page Matomo tracker instance, then first party cookies will be used additionally to the third party. This was implemented in https://github.com/matomo-org/matomo/pull/15184

Meaning. If there's eg a tracker on the privacy policy page pointing to https://matomo.example.org/matomo.php and the opt out is also loaded from https://matomo.example.org/index.php?module=...&action=optout... then Matomo would try to set also a first party cookie for this site using a feature called postMessage.

Besides this there isn't anything else we can do I suppose except for a custom opt out form as mentioned in previous comment.

Powered by GitHub Issue Mirror